CVE-2015-0285

2015-03-1922:59:03

CWE-310

redhat

web.nvd.nist.gov

cve-2015-0285

openssl 1.0.2

prng

cryptographic protection

remote attackers

network sniffing

brute-force attack

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

AI Score

5.8

Confidence

High

EPSS

0.006

Percentile

78.7%

JSON

The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.

Affected configurations

Nvd

Node

opensslopensslMatch1.0.2

opensslopensslMatch1.0.2beta1

opensslopensslMatch1.0.2beta2

opensslopensslMatch1.0.2beta3

VendorProductVersionCPE
opensslopenssl1.0.2cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
opensslopenssl1.0.2cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
opensslopenssl1.0.2cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*
opensslopenssl1.0.2cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*

Vendor	Product	Version	CPE
openssl	openssl	1.0.2	cpe:2.3:a:openssl:openssl:1.0.2:::::::*
openssl	openssl	1.0.2	cpe:2.3:a:openssl:openssl:1.0.2:beta1::::::
openssl	openssl	1.0.2	cpe:2.3:a:openssl:openssl:1.0.2:beta2::::::
openssl	openssl	1.0.2	cpe:2.3:a:openssl:openssl:1.0.2:beta3::::::